Skip to content

Commit

Permalink
Bump SPDX tools to 1.1.0
Browse files Browse the repository at this point in the history
This commit bumps SPDX tools to 1.1.0 preparing the CI to
validate SPDX 2.3 documents.

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>
  • Loading branch information
puerco committed Aug 26, 2022
1 parent 53f6c72 commit 4d0688f
Showing 1 changed file with 9 additions and 6 deletions.
15 changes: 9 additions & 6 deletions .github/workflows/sbom.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ on:
pull_request:
branches: ['main']

env:
SPDX_TOOLS_VERSION: 1.1.0

jobs:
go-version-m:
name: Generate go version -m
Expand Down Expand Up @@ -75,15 +78,15 @@ jobs:

- name: Install SPDX Tools
run: |
wget https://github.com/spdx/tools-java/releases/download/v1.0.4/tools-java-1.0.4.zip
unzip tools-java-1.0.4.zip
wget https://github.com/spdx/tools-java/releases/download/v${SPDX_TOOLS_VERSION}/tools-java-${SPDX_TOOLS_VERSION}.zip
unzip tools-java-${SPDX_TOOLS_VERSION}.zip
- name: Generate and Validate
run: |
img=$(go run ./ build ./)
go run ./ deps $img --sbom=spdx | tee spdx.json
java -jar ./tools-java-1.0.4-jar-with-dependencies.jar Verify spdx.json
java -jar ./tools-java-${SPDX_TOOLS_VERSION}-jar-with-dependencies.jar Verify spdx.json
- uses: actions/upload-artifact@v3
if: ${{ always() }}
Expand All @@ -108,8 +111,8 @@ jobs:

- name: Install SPDX Tools
run: |
wget https://github.com/spdx/tools-java/releases/download/v1.0.4/tools-java-1.0.4.zip
unzip tools-java-1.0.4.zip
wget https://github.com/spdx/tools-java/releases/download/v${SPDX_TOOLS_VERSION}/tools-java-${SPDX_TOOLS_VERSION}.zip
unzip tools-java-${SPDX_TOOLS_VERSION}.zip
- name: Install Cosign
uses: sigstore/[email protected]
Expand All @@ -121,7 +124,7 @@ jobs:
img=$(go run ./ build --platform=linux/amd64,linux/arm64 ./)
cosign download sbom $img | tee spdx-multi-arch.json
java -jar ./tools-java-1.0.4-jar-with-dependencies.jar Verify spdx-multi-arch.json
java -jar ./tools-java-${SPDX_TOOLS_VERSION}-jar-with-dependencies.jar Verify spdx-multi-arch.json
- uses: actions/upload-artifact@v3
if: ${{ always() }}
Expand Down

0 comments on commit 4d0688f

Please sign in to comment.